[Users] ser with radius group checking - something amiss

Velimir Novkovic voip at e-prometheus.org
Tue Mar 7 20:45:14 CET 2006 

Yes. And I learnt it hard way this time - couple of days of debug-like work.
It turned out that group checking entries in Radius configs need to be
before any user specific ones - generally speaking.

SER module works correctly all the way (in my experience).

Thanks for your indication though.

/Vel

-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Tuesday, March 07, 2006 11:21 AM
To: Velimir Novkovic
Cc: 'OpenSER ((E-mail))'
Subject: Re: [Users] ser with radius group checking - something amiss

Hi Velimir,

not an expert on RADIUS, but my guess the problem is in the RADIUS 
server configuration - it should not request authentication for the 
"Service-Type = Group-Check"

regards,
bogdan

Velimir Novkovic wrote:

> Hi,
>
> I run SER with Radius/MySQL for authentication and accounting.
>
> Things are pretty much in place except for group checking. I have 
> something like this in my ser.cfg:
>
> ....
>
> modparam("auth_radius", "radius_config", 
> "/etc/radiusclient-ng/radiusclient.conf")
>
> modparam("group_radius", "use_domain", 1)
>
> .....
>
> if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN
>
> if (!radius_is_user_in("credentials", "ld")) {
>
> sl_send_reply("403", "No permission for domestic calls");
>
> return;
>
> };
>
> route(4);
>
> return;
>
> };
>
> ....
>
> When I look at Radius debug log I can see that when ser sends a 
> request to radius, radius wants to do digest on it and then the 
> complete request fails and call can't go through. Output looks 
> something like this:
>
> ..
>
> rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, 
> length=72
>
> User-Name = "81000 at sage.home.local"
>
> Sip-Group = "voicemail"
>
> Service-Type = Group-Check
>
> NAS-Port = 0
>
> NAS-IP-Address = 127.0.0.1
>
> Processing the authorize section of radiusd.conf
>
> ..
>
> ** bunch of sql statements ...
>
> ..
>
> modcall: group authorize returns ok for request 17
>
> rad_check_password: Found Auth-Type Digest
>
> auth: type "digest"
>
> Processing the authenticate section of radiusd.conf
>
> modcall: entering group authenticate for request 17
>
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
>
> modcall[authenticate]: module "digest" returns invalid for request 17
>
> modcall: group authenticate returns invalid for request 17
>
> auth: Failed to validate the user.
>
> In databases I have following:
>
> mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
> Username = '81000 at sage.home.local' ORDER BY id;
>
> +----+-----------------------+--------------+-------------+----+
>
> | id | UserName | Attribute | Value | op |
>
> +----+-----------------------+--------------+-------------+----+
>
> | 18 | 81000 at sage.home.local | Service-Type | Group-Check | := |
>
> +----+-----------------------+--------------+-------------+----+
>
> 1 row in set (0.00 sec)
>
> mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
> Username = '81000 at sage.home.local' ORDER BY id;
>
>
+----+-----------------------+---------------+------------------------------
------+----+
>
> | id | UserName | Attribute | Value | op |
>
>
+----+-----------------------+---------------+------------------------------
------+----+
>
> | 23 | 81000 at sage.home.local | User-Password | 
> $1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := |
>
> | 25 | 81000 at sage.home.local | Sip-Rpid | 81000 | = |
>
> | 30 | 81000 at sage.home.local | Auth-Type | Digest | := |
>
>
+----+-----------------------+---------------+------------------------------
------+----+
>
> mysql> SELECT 
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op 
> FR
>
> OM radgroupcheck,usergroup WHERE usergroup.Username = 
> '81000 at sage.home.local' AND usergroup.GroupName = radgroupcheck.G
>
> roupName ORDER BY radgroupcheck.id;
>
> +----+-----------+-----------+--------+----+
>
> | id | GroupName | Attribute | Value | op |
>
> +----+-----------+-----------+--------+----+
>
> | 12 | voicemail | Auth-Type | Accept | := |
>
> +----+-----------+-----------+--------+----+
>
> Has anyone had a chance to do something like this with success? I am 
> stuck at the moment - any help is greatly appreciated.
>
> Thanks.
>
> /Vel
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>  
>

More information about the Users mailing list